Utilize basic read-write functions

Sky-Tiger

Sky-Tiger

Disadvantage for the End-User:
No transitive dependency support. Must manually reference optional dependency in own project.
May have to configure which SPI implementation to use.

Advantage for the Library Developer:

Sky-Tiger

"Adding a second sandbox around the permissions system called the Java sandbox will surely make Java safer," Schierl said, it's just that it is hard or even impossible to do so."

Java has a vast trusted code base, Schierl said, referring to the amount of code that is inherently trusted by a client machine running a Java program. This enables a program to read configuration files and the registry, store data to cache directories and other functions.  To prevent the original sandbox from terminating normal Java applets, Schierl added, these "safe" functions would have to be whitelisted in a second sandbox.

Automated toolkits are fueling most of the attacks that exploit Java flaws. BlackHole and other toolkits make the process easy and systems without the latest patches installed face the most risk, experts say. But even fully deployed systems can be targeted.

Sky-Tiger

Just this week, researchers discovered two Java zero-day vulnerabilities in the latest version of the programming language. Exploit code targeting the vulnerabilities, which is rated extremely critical by Danish vulnerability clearinghouse Secunia, is publicly available. Attackers can use the flaws to bypass restrictions, install a dropper and remotely control data stealing malware using a variant of the PoisonIvy Trojan.

Software security expert Gary McGraw, CTO of Dulles, Va.-based Cigital Inc., said the impetus should be on Oracle engineers to do a better job finding and correcting flaws in the Java virtual machine.  Today the Java is maintained by Oracle; the Redwood Shores, Calif.-based vendor has not responded to an interview request. The company also has not yet acknowledged the latest zero-day flaws or the publicly available attack code.

Sky-Tiger

"It would be better for everybody if the Java virtual machine sandbox was just repaired," McGraw said. "The security mechanisms designed into Java are not so terrible; they are complicated and they have to be implemented exactly right. And exactly right turns out to be real hard."

Hundreds of millions of lines of code in Oracle’s codebase are written in Java, noted Eric Maurice, director of software security assurance at Oracle in a blog entry on Java security in February.  Maurice said Oracle had added development staff dedicated to Java security, and that additional code-scanning tools were adopted to detect and address vulnerabilities.

"With these new resources available to them as a result of the Oracle acquisition, the Java development team is weeding out security bugs in Java, and is looking at ways to further improve the security posture provided by Java to its users," Maurice wrote.

Java's age, complexity and install base make it a very attractive target for attackers, said Wolfgang Kandek, CTO of Redwood City, Calif.-based vulnerability management vendor Qualys Inc.  Kandek said Oracle could restrict the resources the JVM uses or request permissions, but additional restrictions would likely not be very practical.

Sky-Tiger

"Oracle acquired a huge code base; a very successful code base and they have to work through the problems that come with it," Kandek said.  

According to Kandek the most practical solution for enterprises is to control where Java is running and only run it when necessary. Enterprises IT teams can use registry zones to implement tighter restrictions, he said.

Related Topics: Software Development Methodology, Web Browser Security, Application Attacks (Buffer Overflows, Cross-Site Scripting), Web Application Security, VIEW ALL TOPICS

Sky-Tiger

his page lists announcements of security fixes made in Critical Patch Update Advisories and Security Alerts, and it is updated when new Critical Patch Update Advisories and Security Alerts are released. It is possible to receive notification of new announcements by email, as explained in the page linked below. Security fixes in third party products distributed with Oracle products are announced in the Third Party Bulletin, whose purpose and location is explained below.

Click here for instructions on how to configure email notifications.
Click here to read the Technical White Paper, "Critical Patch Update Implementation Best Practices"

This page contains the following sections:

Critical Patch Updates
Security Alerts
Third Party Bulletin
Public Vulnerabilities Fixed
Policies
Reporting Security Vulnerabilities
References

Sky-Tiger

Regular expressions are a language of string patterns built in to most modern programming languages, including Java 1.4 onward; they can be used for: searching, extracting from, and modifying text.

How many times have you come to a piece of code, only to find a tangled mess of string comparisons and index checks - how many time have you written one? Granted, there is a time and place for index-based iteration and tokenization, but maybe it's time to bite the bullet and learn how to use a real text-manipulation tool.

Sky-Tiger

Regular expressions are not difficult to master – in fact, they are quite easy. A good strategy, whenever building a new regular expression, is to start with the simplest, most general match possible. From there, add more and more complexity until you have matched, substituted, or inserted exactly what you need. It is an iterative development process, unless you are already very practiced, so just because it seems difficult at first, does not mean that you should give up and go back to your web of `indexOf` and `contains`.

Sky-Tiger

Regular expressions can greatly reduce time to delivery, and can also greatly reduce code complexity; however, this comes at a cost. Regular expressions can become fragile, and without proper unit tests, maintainance can become expensive and dangerous. Like any other piece of code, tests are life; don't do unto others what you would not have them do unto you.

Don't leave complex regular expressions un-tested, and conversely, if you are confused by a regular epression you find, maybe you should spend a little time to figure out what it does, and write some tests to validate your beliefs - in the end, you'll be glad you did.